With a decision published on March 18, 2019, the Danish Privacy Authority, Datatilsynet (DPA), found that a Danish Taxi App – Taxa 4×35 – did not respect the principle of data minimization envisaged by the GDPR (art. 5.1(c)), keeping the personal data of the customers beyond the expected retention period. The company deleted the names and addresses of the data subjects after two years of retention, compliant with the applicable retention period, but kept the subjects’ telephone numbers for an additional three years.
According to the company, the reason why the phone number is not deleted is that the number is the key to the system’s database and therefore is necessary in relation to the company’s product and business development.
However the DPA found that one cannot set a deletion period, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the GDPR and recommended a fine of around $180,000, according to this source.
The decision Tilsyn med Taxa 4×35’s behandling af personoplysninger published on March 18, 2019, is available at https://www.datatilsynet.dk…
For more information about how privacy is implemented in Europe, contact Francesca Giannoni-Crystal & Federica Romanelli.